Security pros talk, but can they walk?

LAS VEGAS--The past two weeks have been typical of the current state
of Internet security: Industry and government leaders say they're
focused on improving security while flaws continue to be found and
exploited.

"People are making security a bigger topic of conversation than it was,
but in the end I think it's been mostly talk, and not a whole lot of
action," said Marc Maiffret, chief hacking officer for network
protection company eEye Digital Security.

That lack of progress is especially worrisome as hackers and
security experts gather in Las Vegas this week for Black Hat Briefings,
which begins Wednesday, and the security industry's most infamous
confab, DefCon, which starts Friday.

The DefCon convention--a celebration of hacker culture and security
knowledge--brings together experts from the hacker underground,
security-industry stars and a monochromatic gathering of geek groupies.
The convention has frequently acted as a catalyst for online mischief
but also for a spirited discussion among companies, government
officials and hackers about how to protect the Internet from attack.

But that's part of the problem--lots of talk but plenty of lingering problems.

"I think some of the more apparent issues are being resolved--viruses
propagating through e-mail, for example," said Pete Lindstrom, research
director for consultancy Spire Security, who added that he doesn't
think that "we have seen progress other than that in any specific way."

The failures persist despite government intervention and corporate
attention. In February, the Bush administration delivered the National
Strategy to Secure Cyberspace, a document that describes where the
United States is in terms of Internet security. But critics said it
contained few concrete proposals, and the two people who had the
largest role in creating the document have since departed: Richard
Clarke in March, and Howard Schmidt in April.

The industry has had its share of security black eyes as well. More
than a year into its Trustworthy Computing initiative, Microsoft had to
deal with major flaws in its Passport identity services, the Slammer
worm's attack on vulnerable Microsoft SQL servers and a major flaw that
created the possibility of another serious worm incident.

Meanwhile, Cisco Systems warned its customers that a serious flaw
in its routers--the network hardware that directs data around the Internet--could allow an attacker to shut down the devices.

Jeff Jones, senior director for Microsoft's Trustworthy Computing initiative, conceded that there is much work to do.

"I think the industry is improving overall," Jones said. "But a single
year is too short of a time for anyone to declare success. I don't
think anyone said that (our track record) was going to be perfect."

The disclosure debateOf the many topics to be debated this
week, the most contentious is likely to center on notification.
Specifically, there is a deep split about whether serious flaws should
be publicized before vendors can fix them.

When giants such as Microsoft and Cisco falter, security researchers
are quick to point out the flaws, arguing that the public's need to
know outweighs the companies' desire to quietly work on a patch.

The Organization for Internet Safety released on Tuesday its final
guidelines for disclosure, a document that the group of software and
security companies hopes the research community will adopt. The
document calls for researchers to give software companies at least 30
days to fix a vulnerability and release a patch, and to let at least
another 30 days pass before releasing significant details of the
vulnerability.

Such guidelines are necessary to give software makers time to fix
their problems before putting their customers at risk, said Mary Ann
Davidson, chief security officer for database software maker Oracle, a
member of the group.

"My biggest concern is about recklessness in the research
community--it's really scary." Davidson said. "They need to understand
that exploits have real consequences. The vendors want to do it faster
too, but they want to do it faster without destabilizing things."

Davidson will take part in a panel discussion Wednesday at the Black
Hat conference that will focus on the need for restraint in releasing
details about security vulnerabilities.

Though some security companies already are playing by the proposed
rules, many independent security researchers and hackers continue to
compete to see who can get the most detailed exploit out the fastest.
Within a week of a major flaw being announced in Cisco's routers,
researchers had created code to exploit the vulnerability. And nine
days after the major flaw was found in Microsoft's operating system,
the research community had produced an easy-to-use program to attack
Windows-based computers.

HD Moore, a security researcher and founder of the Metasploit.com security Web site, improved on a program from a Chinese hacking group that exploited the Windows vulnerability.

"Companies don't want anyone to write an exploit at all," Moore
said. "That's understandable. They don't want a worm written into the
code, and they don't want their customers mad at them."

Moore believes that having exploit code available to the public
forces companies to keep their systems current, thus improving
security. Whether that's true is debatable, he admitted. However, the
pressure on the hacking community not to release exploit code has had a
negative side effect: Increasingly hacking groups are keeping the code
to themselves and using it to cause harm to systems or to trade for
other programs. For example, before X-Focus released its program to
exploit the recent Windows flaw, at least three other groups had
already created their own.

"A year ago, there was a 50-50 split between private and public
exploits," Moore said. "Now it's more like 90 percent of the
vulnerabilities are private. (The Microsoft vulnerability) is one of
the few that made it into the public 10 percent."

By Moore's reasoning, the public program makes the Microsoft
vulnerability far less of a threat than the 90 percent of the exploit
programs people don't know about.